Endpoint Management

Granting an Assigned User a Secure Token using Jamf Pro

Last modified 7/7/2020

About

This guide will show you how to use Jamf Pro to give a assigned user for a device a Secure Token using your local administrator account.

Before You Begin

Prerequisites

Be sure you meet the following prerequisites:

Getting Started

Log into the Jamf Pro Console

  1. Navigate to the Jamf Pro Console at https://jamf.illinoisstate.edu/ and login.
  2. Make sure you are working under your IT Team's site

Creating Smart Groups

  1. Navigate from the left pane: Computers > Smart Computer Groups > Select New


  2. Create the groups below:

  • FileVault - Eligible Computers that are Not Yet Encrypted

  • This group informs us about all devices are capable of doing encryption, but are not yet encrypted.

  • FileVault - Assigned User Needs a SecureToken

  • This group will have computers, where your local admin account has a SecureToken but your assigned user for the device does not.
  • We will use this group to target a policy to grant a SecureToken using your local admin account.
  • Change the highlighted sections in red:
    • For ISU SecureToken Status - edit and add your local administrator account that has a SecureToken
    • For Computer Group - this allow for scoping your environment, you can use any smart/static group that you wish to target

  • FileVault - Assigned User Has a SecureToken

  • This group will have computers that are safe to begin encryption, because the assigned user for the device has a SecureToken.
  • Change the highlighted section in red:
    • For Computer Group - this allow for scoping your environment, you can use any smart/static group that you wish to target

  • FileVault - Ready to Begin Encryption

  • This group will be used to assign our FileVault policy.
  • For the highlighted section in red:
    • For Computer Group - this allow for scoping your environment, you can use any smart/static group that you wish to target
  • Groups Used:
    • FileVault - Eligible Computers that are Not Encrypted
    • FileVault - Assigned User Has SecureToken
    • Your Targeted Group



Creating a Policy to Grant a SecureToken to your assigned user.

  1. Navigate from the left pane: Computers > Policies



  2. Select New to create a new Policy.


  3. Give your policy a name and configure the settings in the General tab shown below.



  4. Select Scripts payload from the left pane and select Configure.


  5. Find script named "ISU enableUserUsingAdminForFV2.sh" and select Add


  6. You will be taken back to fill in some addition fields for the script.  


    1. For Local Admin Username - use your local admin account that has a Secure Token
    2. For the Password fields - Use the following guide here: Encrypting a Password to Use in Scripts in Jamf Pro

  7. Select the Maintenance payload from the left pane and select Configure.

  8. Check Update Inventory.


  9. Select the Scope tab.

  10. Select the Group named "FileVault - Assigned User Needs a SecureToken" that we created earlier.


  11. Select Save in the bottom right when finished.

User Experience

After deploying the policy, the next time the assigned user of the device signs in, they will recieve a prompt asking them for their password.  We must ask for their password in order to pass a Secure Token to them.


Here is an example of part of the script that is it doing in the background in order to pass the token:

sysadminctl -secureTokenOn $userName -password $usersPassword -adminUser $yourLocalAdmin -adminPassword $yourLocalAdminPW


Additional Information

After this policy is deployed and you go to back to smart groups, when the policy takes place, the computers in the smart group will leave the "User needs a SecureToken" group and filter into the "User has a SecureToken" group, which then the computer will also be put into the Ready for Encryption FileVault smart group.

If you want to know which users on a specific device has a Secure Token, you can go to that device in the Jamf Pro console, and under Extention Attributes you will see:

  • ISU Assigned User has SecureToken - True/False, If the user assigned to the device in Jamf Pro matches one of the accounts listed in ISU SecureToken Status.
  • ISU SecureToken Status - A list of all accounts with a Secure Token on the device.